Security automation using robotic process automation

ABSTRACT

Security automation, such as penetration testing or security hardening, is performed using robotic process automation (RPA) by directly connecting one or more robots into an operating system of a platform. The one or more robots execute a workflow to simulate the penetration testing of the operating system to identify malicious activity or vulnerable configurations within the operating system. The one or more robots also generate a report for the user identifying the malicious activity, misconfigurations or vulnerabilities within the environment.

FIELD

The present invention generally relates to robotic process automation(RPA), and more specifically, to performing security (orpenetration/hardening) tests on the entire environment, machine, orvirtual machine (VM) using RPA.

BACKGROUND

A penetration test, also known as a pen test, pentest or ethicalhacking, is an authorized simulated cyberattack on a computer system,performed to evaluate the security of the system. The test is performedto identify both weaknesses (or vulnerabilities), including thepotential for unauthorized parties to gain access to the system'sfeatures and data, as well as strengths, enabling a full risk assessmentto be completed.

There are antivirus applications that perform tests on dynamicenvironment to check whether there are any potential frauds/viruses thatare present in the system. These antivirus applications search files andsignature (or hashes) to discover potential threats or viruses. However,these antivirus applications do not perform penetration testing, similarto those performed by humans.

Accordingly, an improved method for performing penetration testing ofthe entire environment, machine, or VM using RPA may be beneficial.

SUMMARY

Certain embodiments of the present invention may provide solutions tothe problems and needs in the art that have not yet been fullyidentified, appreciated, or solved by current antivirus technologies.For example, some embodiments of the present invention pertain to amethod for performing penetration testing of the entire environment,machine, or VM without human intervention.

In an embodiment, a computer-implemented method for performingpenetration testing using RPA includes directly connecting one or morerobots into an operating system of a platform. The method also includesexecuting, by the one or more robots, a workflow to simulate thepenetration testing of the operating system to identify maliciousactivity or vulnerable configurations within the operating system. Themethod further includes generating, by the one or more robots, a reportfor the user identifying the malicious activity, misconfigurations orvulnerabilities within the environment.

In another embodiment, an apparatus configured to perform penetrationtesting using RPA. The apparatus includes memory comprising a set ofinstructions, and at least one processor. The set of instructions areconfigured to cause the at least one processor to execute directlyconnecting one or more robots into an operating system of a platform.The set of instructions are further configured to cause the at least oneprocessor to execute, by the one or more robots, a workflow to simulatethe penetration testing of the operating system to identify maliciousactivity or vulnerable configurations within the operating system. Theset of instructions are further configured to cause the at least oneprocessor to execute generating, by the one or more robots, a report forthe user identifying the malicious activity, misconfigurations orvulnerabilities within the environment.

In yet another embodiment, a computer program is embodied on anon-transitory computer-readable medium. The computer program isconfigured to cause at least one processor to execute directlyconnecting one or more robots into an operating system of a platform.The computer program is further configured to cause at least oneprocessor to execute, by the one or more robots, a workflow to simulatethe penetration testing of the operating system to identify maliciousactivity or vulnerable configurations within the operating system. Thecomputer program is further configured to cause at least one processorto execute generate a report for the user identifying the maliciousactivity, misconfigurations or vulnerabilities within the environment.

BRIEF DESCRIPTION OF THE DRAWINGS

In order that the advantages of certain embodiments of the inventionwill be readily understood, a more particular description of theinvention briefly described above will be rendered by reference tospecific embodiments that are illustrated in the appended drawings.While it should be understood that these drawings depict only typicalembodiments of the invention and are not therefore to be considered tobe limiting of its scope, the invention will be described and explainedwith additional specificity and detail through the use of theaccompanying drawings, in which:

FIG. 1 is an architectural diagram illustrating an RPA system, accordingto an embodiment of the present invention.

FIG. 2 is an architectural diagram illustrating a deployed RPA system,according to an embodiment of the present invention.

FIG. 3 is an architectural diagram illustrating the relationship betweena designer, activities, and drivers, according to an embodiment of thepresent invention.

FIG. 4 is an architectural diagram illustrating an RPA system, accordingto an embodiment of the present invention.

FIG. 5 is an architectural diagram illustrating a computing systemconfigured to perform penetration testing without human intervention,according to an embodiment of the present invention.

FIG. 6 is a flow diagram illustrating a method for testing an entireenvironment for security vulnerabilities, according to an embodiment ofthe present invention.

FIG. 7 is a flow diagram illustrating a method for modifying a workflow,according to an embodiment of the present invention.

FIG. 8 is a diagram illustrating a workflow for executing a sequence ofsteps by one or more robots during a pen test, according to anembodiment of the present invention.

FIGS. 9 and 10 are diagrams illustrating a conceptual state machine andworkflow for executing a targeted fuzzing approach, according to anembodiment of the present invention.

DETAILED DESCRIPTION OF THE EMBODIMENTS

Some embodiments pertain to a method for performing penetration (pen)testing using RPA without human intervention. In an embodiment, to testthe entire environment and simulate the pen tester, the robot isdirectly connected and hooked into the operating system (OS). Forexample, robot(s) currently deployed in the OS may be utilized fortesting and simulating the pen test. In another example, a specificrobot, not currently utilized by any application in the OS, can bedeployed to test and simulate the pen test. For example, during the pentest, the robot searches the Windows® Registry and scrapes data from thefile system to search for security vulnerabilities.

To perform the pen testing, multiple approaches may be employed. Forexample, a workflow (specific for each platform) is written such that,when executed, the workflow causes the robot to perform actions similarto those performed by the pen tester. For instance, Windows® OS versusLinux® OS may be tested differently. For that reason, the workflow mustbe written specific to the platform.

In instances where the pen tester's actions are performed by a mouse,the actions performed are recorded. For example, a robot records theactions of a user (e.g., pen tester), when the user is performing thepen test. Using the recorded actions of the user, the robot then teststhe environment to check for security vulnerabilities caused by variousfactors. These factors may include malicious activity on the machine,vulnerable configurations, suspicious activities, viruses, etc.

In some embodiments, the ability to record the actions or stepsconducted by the pen tester and store the recorded actions or steps maybe atomic or chained sequences. Chained sequences may be defined asputting atomic actions one after another, i.e., creating a sequence ofsteps. Atomic may be defined as a single step or a unique (indivisible)action.

It should be appreciated that the robot records the pen tester's actionsduring each penetration test of the environment. These actions are thenstored in a database. By continuously recording the user's actions, thepen tester or robot may continue to improve the pen testing, and in someembodiments, replay the pen tester's actions.

In certain embodiments, custom security workflows are created, i.e., theone or more sequences in a pen test are modified by adding, removing, orediting each individual component for a specific system and/orenvironment. For example, a previous workflow or pen test is reviewed,and based on the review, the pen test is modified to add, remove, oredit one or more steps in the pen test. This may be performed by the pentester or by a machine learning (ML) algorithm.

In certain embodiments, using ML algorithms, the robot uses the recordedactions to perform the penetration test. For example, the ML algorithmscompile a new test or modify a pervious pen test for the robot toexecute based on previously recorded actions by the robot or by the pentester. In some other embodiments, two separate workflows may beanalyzed by the robot or pen tester and may be combined to create asingle (unitary) workflow for the robot to execute. This may be done tooptimize the pen testing process.

As briefly discussed above, the robot may search and/or evaluate forsecurity vulnerabilities. One method to evaluate securityvulnerabilities involves the robot searching for updates and patches,identifying out-of-date software. The robot may also access public orprivate databases comprising of vulnerabilities. By accessing the publicor private database, the robot searches for the vulnerabilitiesassociated with the identified out-of-data software, or in someembodiments, for any software installed on the OS.

Another approach would be a ‘network’ approach. Under this approach, therobot scans the ports and services open or available on the computingdevice or OS. The robot may look up each service and identify weakcredential logins. In one example, the robot may use ‘default’credential logins to access the scanned port and services. The reasonfor this is because many times, the user may not change the logincredentials and continue to utilize the ‘default’ credential logins. Therobot may also use a ‘brute force’ approach. Under this approach, therobot may use various passwords and credentials to access the ports andservices. Another aspect of this ‘network’ approach would be to test theopen ports and services with malicious payloads from knownvulnerabilities and analyze the response, determining if said port orservice has been comprised in any way.

In some embodiments, each robot may be afforded a different level ofaccess. For example, let's say through social engineering a user'saccount (e.g., from legal department) is compromised. The robot mayinfiltrate the environment through the comprised user's account. On theother hand, if the admin account is compromised, the robot mayinfiltrate the comprised admin account, which has a different level ofaccess than other users. Depending on the level of access, the robot mayattempt infiltrate different access points across the OS, e.g., ports orservices.

In another embodiments, the robot may be assigned a predefined level ofaccess. For example, there may be a robot with a normal user access,another robot with admin user access, and so forth. This way, each robotmay execute a workflow for the pen test that is specific for the levelof access assigned thereto.

Some embodiments may allow for security hardening in a dynamic way. Forexample, in software development, there is an adopted practice of fuzztesting. With fuzz testing, before release of software, the software istested to ensure that security issues or vulnerabilities are reduced toa minimum. The robot in this embodiment may bombard the target withdifferent malicious or malformed payloads and look for unexpectedbehavior; hence, security hardening in a dynamic way. By securityhardening, the security of the computing system is improved, ensuringthat vulnerabilities within the computing system are reduced at aminimum or eliminated.

In some embodiments, the pen test may be assisted by the robot. Forexample, the robot is deployed to automate eighty (80) percent of thepen test, leaving twenty (20) percent of the pen testing to theindividual user (or pen tester). It should be appreciated the percentageof automation conducted by the robot may vary depending on theconfiguration of the pen test and the environment of the computingsystem, to name a few. In some other embodiment, the robot produces areport of the pen test. In those embodiments, the pen tester may reviewthe results of the automated pen test, and complete the remaining pentest.

In another embodiments, the pen tester may deploy one or more robots ina cluster the pen testing automations. In these embodiments, the pentester may concurrently perform pen testing or wait until the resultsfrom the pen testing automations are returned. In one example, in adeveloper's workstation, a number of ports and services are open at anygiven time. In this example, the one or more robots may perform pentesting automation on the number of ports and services that are open,leaving the pen tester to test any untested portion of the workstation.The untested portion may be any new tools or software that the one ormore robots are unaware of. However, if you take the other example of adedicated machine in which one or more users have a specificinteraction, the one or more robots may perform the pen test automationand confirm that all other programs are closed or secured and notaccessible by the one or more users.

Certain embodiments allow for the ability to perform dynamic testing,either manually targeted or automatically selected, on differentservices or binaries by using fuzzing. With fuzzing, for example,potentially malicious or malformed payloads are automatically generatedby the robot executing the workflow to test the resilience and securityof the target environment or OS. In this example, the primary objectiveis to provoke an unexpected behavior, this can be a denial of service(DoS) by crashing the target or getting erroneous outputs altogether.Another objective would be to hijack the control flow or gain access toprivileged data/capabilities by leveraging these payloads.

Let's think of this as a network approach or a standard local approach.From a network approach, the network port is scanned to identify openports. Upon identifying the open ports, a fuzzing attack is thenlaunched by the robot. By fuzzing, a sequence of commands are executed.These commands are either correctly formatted or altered in such a waythat the altered commands performed can lead to unexpected behavior suchas access to confidential data or features not normally accessible.

In an cluster environment, the robots may be managed and deployed on anysystem in the environment from a centralized command point and producereports after execution/deployment. In this embodiment, a centralizedcommand point may control and deploy (and monitor) the actions of therobots deployed in a customer's cluster. For example, a specificinstance may be dedicated to pen testing robots, thereby segregating thepen testing robots from other robots in Orchestrator™. This way, therobots can be treated differently based on the security level assignedto the robot.

FIG. 1 is an architectural diagram illustrating an RPA system 100,according to an embodiment of the present invention. RPA system 100includes a designer 110 that allows a developer to design and implementworkflows. Designer 110 may provide a solution for applicationintegration, as well as automating third-party applications,administrative Information Technology (IT) tasks, and business ITprocesses. Designer 110 may facilitate development of an automationproject, which is a graphical representation of a business process.Simply put, designer 110 facilitates the development and deployment ofworkflows and robots.

The automation project enables automation of rule-based processes bygiving the developer control of the execution order and the relationshipbetween a custom set of steps developed in a workflow, defined herein as“activities.” One commercial example of an embodiment of designer 110 isUiPath Studio™. Each activity may include an action, such as clicking abutton, reading a file, writing to a log panel, etc. In someembodiments, workflows may be nested or embedded.

Some types of workflows may include, but are not limited to, sequences,flowcharts, Finite State Machines (FSMs), and/or global exceptionhandlers. Sequences may be particularly suitable for linear processes,enabling flow from one activity to another without cluttering aworkflow. Flowcharts may be particularly suitable to more complexbusiness logic, enabling integration of decisions and connection ofactivities in a more diverse manner through multiple branching logicoperators. FSMs may be particularly suitable for large workflows. FSMsmay use a finite number of states in their execution, which aretriggered by a condition (i.e., transition) or an activity. Globalexception handlers may be particularly suitable for determining workflowbehavior when encountering an execution error and for debuggingprocesses.

Once a workflow is developed in designer 110, execution of businessprocesses is orchestrated by conductor 120, which orchestrates one ormore robots 130 that execute the workflows developed in designer 110.One commercial example of an embodiment of conductor 120 is UiPathOrchestrator™. Conductor 120 facilitates management of the creation,monitoring, and deployment of resources in an environment. Conductor 120may act as an integration point with third-party solutions andapplications.

Conductor 120 may manage a fleet of robots 130, connecting and executingrobots 130 from a centralized point. Types of robots 130 that may bemanaged include, but are not limited to, attended robots 132, unattendedrobots 134, development robots (similar to unattended robots 134, butused for development and testing purposes), and nonproduction robots(similar to attended robots 132, but used for development and testingpurposes). Attended robots 132 are triggered by user events and operatealongside a human on the same computing system. Attended robots 132 maybe used with conductor 120 for a centralized process deployment andlogging medium. Attended robots 132 may help the human user accomplishvarious tasks, and may be triggered by user events. In some embodiments,processes cannot be started from conductor 120 on this type of robotand/or they cannot run under a locked screen. In certain embodiments,attended robots 132 can only be started from a robot tray or from acommand prompt. Attended robots 132 should run under human supervisionin some embodiments.

Unattended robots 134 run unattended in virtual environments and canautomate many processes. Unattended robots 134 may be responsible forremote execution, monitoring, scheduling, and providing support for workqueues. Debugging for all robot types may be run in designer 110 in someembodiments. Both attended and unattended robots may automate varioussystems and applications including, but not limited to, mainframes, webapplications, VMs, enterprise applications (e.g., those produced bySAP®, SalesForce®, Oracle®, etc.), and computing system applications(e.g., desktop and laptop applications, mobile device applications,wearable computer applications, etc.).

Conductor 120 may have various capabilities including, but not limitedto, provisioning, deployment, configuration, queueing, monitoring,logging, and/or providing interconnectivity. Provisioning may includecreating and maintenance of connections between robots 130 and conductor120 (e.g., a web application). Deployment may include assuring thecorrect delivery of package versions to assigned robots 130 forexecution. Configuration may include maintenance and delivery of robotenvironments and process configurations. Queueing may include providingmanagement of queues and queue items. Monitoring may include keepingtrack of robot identification data and maintaining user permissions.Logging may include storing and indexing logs to a database (e.g., anSQL database) and/or another storage mechanism (e.g., ElasticSearch®,which provides the ability to store and quickly query large datasets).Conductor 120 may provide interconnectivity by acting as the centralizedpoint of communication for third-party solutions and/or applications.

Robots 130 are execution agents that run workflows built in designer110. One commercial example of some embodiments of robot(s) 130 isUiPath Robots™. In some embodiments, robots 130 install the MicrosoftWindows® Service Control Manager (SCM)-managed service by default. As aresult, such robots 130 can open interactive Windows® sessions under thelocal system account, and have the rights of a Windows® service.

In some embodiments, robots 130 can be installed in a user mode. Forsuch robots 130, this means they have the same rights as the user underwhich a given robot 130 has been installed. This feature may also beavailable for High Density (HD) robots, which ensure full utilization ofeach machine at its maximum potential. In some embodiments, any type ofrobot 130 may be configured in an HD environment.

Robots 130 in some embodiments are split into several components, eachbeing dedicated to a particular automation task. The robot components insome embodiments include, but are not limited to, SCM-managed robotservices, user mode robot services, executors, agents, and command line.SCM-managed robot services manage and monitor Windows® sessions and actas a proxy between conductor 120 and the execution hosts (i.e., thecomputing systems on which robots 130 are executed). These services aretrusted with and manage the credentials for robots 130. A consoleapplication is launched by the SCM under the local system.

User mode robot services in some embodiments manage and monitor Windows®sessions and act as a proxy between conductor 120 and the executionhosts. User mode robot services may be trusted with and manage thecredentials for robots 130. A Windows® application may automatically belaunched if the SCM-managed robot service is not installed.

Executors may run given jobs under a Windows® session (i.e., they mayexecute workflows. Executors may be aware of per-monitor dots per inch(DPI) settings. Agents may be Windows® Presentation Foundation (WPF)applications that display the available jobs in the system tray window.Agents may be a client of the service. Agents may request to start orstop jobs and change settings. The command line is a client of theservice. The command line is a console application that can request tostart jobs and waits for their output.

Having components of robots 130 split as explained above helpsdevelopers, support users, and computing systems more easily run,identify, and track what each component is executing. Special behaviorsmay be configured per component this way, such as setting up differentfirewall rules for the executor and the service. The executor may alwaysbe aware of DPI settings per monitor in some embodiments. As a result,workflows may be executed at any DPI, regardless of the configuration ofthe computing system on which they were created. Projects from designer110 may also be independent of browser zoom level in some embodiments.For applications that are DPI-unaware or intentionally marked asunaware, DPI may be disabled in some embodiments.

FIG. 2 is an architectural diagram illustrating a deployed RPA system200, according to an embodiment of the present invention. In someembodiments, RPA system 200 may be, or may be a part of, RPA system 100of FIG. 1. It should be noted that the client side, the server side, orboth, may include any desired number of computing systems withoutdeviating from the scope of the invention. On the client side, a robotapplication 210 includes executors 212, an agent 214, and a designer216. However, in some embodiments, designer 216 may not be running oncomputing system 210. Executors 212 are running processes. Severalbusiness projects may run simultaneously, as shown in FIG. 2. Agent 214(e.g., a Windows® service) is the single point of contact for allexecutors 212 in this embodiment. All messages in this embodiment arelogged into conductor 230, which processes them further via databaseserver 240, indexer server 250, or both. As discussed above with respectto FIG. 1, executors 212 may be robot components.

In some embodiments, a robot represents an association between a machinename and a username. The robot may manage multiple executors at the sametime. On computing systems that support multiple interactive sessionsrunning simultaneously (e.g., Windows® Server 2012), multiple robots maybe running at the same time, each in a separate Windows® session using aunique username. This is referred to as HD robots above.

Agent 214 is also responsible for sending the status of the robot (e.g.,periodically sending a “heartbeat” message indicating that the robot isstill functioning) and downloading the required version of the packageto be executed. The communication between agent 214 and conductor 230 isalways initiated by agent 214 in some embodiments. In the notificationscenario, agent 214 may open a WebSocket channel that is later used byconductor 230 to send commands to the robot (e.g., start, stop, etc.).

On the server side, a presentation layer (web application 232, Open DataProtocol (OData) Representative State Transfer (REST) ApplicationProgramming Interface (API) endpoints 234, and notification andmonitoring 236), a service layer (API implementation/business logic238), and a persistence layer (database server 240 and indexer server250) are included. Conductor 230 includes web application 232, ODataREST API endpoints 234, notification and monitoring 236, and APIimplementation/business logic 238. In some embodiments, most actionsthat a user performs in the interface of conductor 230 (e.g., viabrowser 220) are performed by calling various APIs. Such actions mayinclude, but are not limited to, starting jobs on robots,adding/removing data in queues, scheduling jobs to run unattended, etc.without deviating from the scope of the invention. Web application 232is the visual layer of the server platform. In this embodiment, webapplication 232 uses Hypertext Markup Language (HTML) and JavaScript(JS). However, any desired markup languages, script languages, or anyother formats may be used without deviating from the scope of theinvention. The user interacts with web pages from web application 232via browser 220 in this embodiment in order to perform various actionsto control conductor 230. For instance, the user may create robotgroups, assign packages to the robots, analyze logs per robot and/or perprocess, start and stop robots, etc.

In addition to web application 232, conductor 230 also includes servicelayer that exposes OData REST API endpoints 234. However, otherendpoints may be included without deviating from the scope of theinvention. The REST API is consumed by both web application 232 andagent 214. Agent 214 is the supervisor of one or more robots on theclient computer in this embodiment.

The REST API in this embodiment covers configuration, logging,monitoring, and queueing functionality. The configuration endpoints maybe used to define and configure application users, permissions, robots,assets, releases, and environments in some embodiments. Logging RESTendpoints may be used to log different information, such as errors,explicit messages sent by the robots, and other environment-specificinformation, for instance. Deployment REST endpoints may be used by therobots to query the package version that should be executed if the startjob command is used in conductor 230. Queueing REST endpoints may beresponsible for queues and queue item management, such as adding data toa queue, obtaining a transaction from the queue, setting the status of atransaction, etc.

Monitoring REST endpoints may monitor web application 232 and agent 214.Notification and monitoring API 236 may be REST endpoints that are usedfor registering agent 214, delivering configuration settings to agent214, and for sending/receiving notifications from the server and agent214. Notification and monitoring API 236 may also use Web Socketcommunication in some embodiments.

The persistence layer includes a pair of servers in thisembodiment—database server 240 (e.g., a SQL server) and indexer server250. Database server 240 in this embodiment stores the configurations ofthe robots, robot groups, associated processes, users, roles, schedules,etc. This information is managed through web application 232 in someembodiments. Database server 240 may manages queues and queue items. Insome embodiments, database server 240 may store messages logged by therobots (in addition to or in lieu of indexer server 250).

Indexer server 250, which is optional in some embodiments, stores andindexes the information logged by the robots. In certain embodiments,indexer server 250 may be disabled through configuration settings. Insome embodiments, indexer server 250 uses ElasticSearch®, which is anopen source project full-text search engine. Messages logged by robots(e.g., using activities like log message or write line) may be sentthrough the logging REST endpoint(s) to indexer server 250, where theyare indexed for future utilization.

FIG. 3 is an architectural diagram illustrating the relationship 300between a designer 310, activities 320, 330, drivers 340, and AI/MLmodels 350, according to an embodiment of the present invention. Per theabove, a developer uses designer 310 to develop workflows that areexecuted by robots. Workflows may include user-defined activities 320and UI automation activities 330. User-defined activities 320 and/or UIautomation activities 330 may call one or more AI/ML models 350 in someembodiments, which may be located locally to the computing system onwhich the robot is operating and/or remotely thereto. Some embodimentsare able to identify non-textual visual components in an image, which iscalled computer vision (CV) herein. Some CV activities pertaining tosuch components may include, but are not limited to, click, type, gettext, hover, element exists, refresh scope, highlight, etc. Click insome embodiments identifies an element using CV, optical characterrecognition (OCR), fuzzy text matching, and multi-anchor, for example,and clicks it. Type may identify an element using the above and types inthe element. Get text may identify the location of specific text andscan it using OCR. Hover may identify an element and hover over it.Element exists may check whether an element exists on the screen usingthe techniques described above. In some embodiments, there may behundreds or even thousands of activities that can be implemented indesigner 310. However, any number and/or type of activities may beavailable without deviating from the scope of the invention.

UI automation activities 330 are a subset of special, lower levelactivities that are written in lower level code (e.g., CV activities)and facilitate interactions with the screen. UI automation activities330 facilitate these interactions via drivers 340 and/or AI/ML models350 that allow the robot to interact with the desired software. Forinstance, drivers 340 may include OS drivers 342, browser drivers 344,VM drivers 346, enterprise application drivers 348, etc. One or more ofAI/ML models 350 may be used by UI automation activities 330 in order todetermine perform interactions with the computing system. In someembodiments, AI/ML models 350 may augment drivers 340 or replace themcompletely. Indeed, in certain embodiments, drivers 340 are notincluded.

Drivers 340 may interact with the OS at a low level looking for hooks,monitoring for keys, etc. They may facilitate integration with Chrome®,IE®, Citrix®, SAP®, etc. For instance, the “click” activity performs thesame role in these different applications via drivers 340.

FIG. 4 is an architectural diagram illustrating an RPA system 400,according to an embodiment of the present invention. In someembodiments, RPA system 400 may be or include RPA systems 100 and/or 200of FIGS. 1 and/or 2. RPA system 400 includes multiple client computingsystems 410 running robots. Computing systems 410 are able tocommunicate with a conductor computing system 420 via a web applicationrunning thereon. Conductor computing system 420, in turn, is able tocommunicate with a database server 430 and an optional indexer server440.

With respect to FIGS. 1 and 3, it should be noted that while a webapplication is used in these embodiments, any suitable client/serversoftware may be used without deviating from the scope of the invention.For instance, the conductor may run a server-side application thatcommunicates with non-web-based client software applications on theclient computing systems.

FIG. 5 is an architectural diagram illustrating a computing system 500configured to perform penetration testing without human intervention,according to an embodiment of the present invention. In someembodiments, computing system 500 may be one or more of the computingsystems depicted and/or described herein. Computing system 500 includesa bus 505 or other communication mechanism for communicatinginformation, and processor(s) 510 coupled to bus 505 for processinginformation. Processor(s) 510 may be any type of general or specificpurpose processor, including a Central Processing Unit (CPU), anApplication Specific Integrated Circuit (ASIC), a Field ProgrammableGate Array (FPGA), a Graphics Processing Unit (GPU), multiple instancesthereof, and/or any combination thereof. Processor(s) 510 may also havemultiple processing cores, and at least some of the cores may beconfigured to perform specific functions. Multi-parallel processing maybe used in some embodiments. In certain embodiments, at least one ofprocessor(s) 510 may be a neuromorphic circuit that includes processingelements that mimic biological neurons.

In some embodiments, neuromorphic circuits may not require the typicalcomponents of a Von Neumann computing architecture.

Computing system 500 further includes a memory 515 for storinginformation and instructions to be executed by processor(s) 510. Memory515 can be comprised of any combination of Random Access Memory (RAM),Read Only Memory (ROM), flash memory, cache, static storage such as amagnetic or optical disk, or any other types of non-transitorycomputer-readable media or combinations thereof. Non-transitorycomputer-readable media may be any available media that can be accessedby processor(s) 510 and may include volatile media, non-volatile media,or both. The media may also be removable, non-removable, or both.

Additionally, computing system 500 includes a communication device 520,such as a transceiver, to provide access to a communications network viaa wireless and/or wired connection. In some embodiments, communicationdevice 520 may be configured to use Frequency Division Multiple Access(FDMA), Single Carrier FDMA (SC-FDMA), Time Division Multiple Access(TDMA), Code Division Multiple Access (CDMA), Orthogonal FrequencyDivision Multiplexing (OFDM), Orthogonal Frequency Division MultipleAccess (OFDMA), Global System for Mobile (GSM) communications, GeneralPacket Radio Service (GPRS), Universal Mobile Telecommunications System(UMTS), cdma2000, Wideband CDMA (W-CDMA), High-Speed Downlink PacketAccess (HSDPA), High-Speed Uplink Packet Access (HSUPA), High-SpeedPacket Access (HSPA), Long Term Evolution (LTE), LTE Advanced (LTE-A),802.11x, Wi-Fi, Zigbee, Ultra-WideBand (UWB), 802.16x, 802.15, HomeNode-B (HnB), Bluetooth, Radio Frequency Identification (RFID), InfraredData Association (IrDA), Near-Field Communications (NFC), fifthgeneration (5G), New Radio (NR), any combination thereof, and/or anyother currently existing or future-implemented communications standardand/or protocol without deviating from the scope of the invention. Insome embodiments, communication device 520 may include one or moreantennas that are singular, arrayed, phased, switched, beamforming,beamsteering, a combination thereof, and or any other antennaconfiguration without deviating from the scope of the invention.

Processor(s) 510 are further coupled via bus 505 to a display 525, suchas a plasma display, a Liquid Crystal Display (LCD), a Light EmittingDiode (LED) display, a Field Emission Display (FED), an Organic LightEmitting Diode (OLED) display, a flexible OLED display, a flexiblesubstrate display, a projection display, a 4K display, a high definitiondisplay, a Retina® display, an In-Plane Switching (IPS) display, or anyother suitable display for displaying information to a user. Display 525may be configured as a touch (haptic) display, a three dimensional (3D)touch display, a multi-input touch display, a multi-touch display, etc.using resistive, capacitive, surface-acoustic wave (SAW) capacitive,infrared, optical imaging, dispersive signal technology, acoustic pulserecognition, frustrated total internal reflection, etc. Any suitabledisplay device and haptic I/O may be used without deviating from thescope of the invention.

A keyboard 530 and a cursor control device 535, such as a computermouse, a touchpad, etc., are further coupled to bus 505 to enable a userto interface with computing system 500. However, in certain embodiments,a physical keyboard and mouse may not be present, and the user mayinteract with the device solely through display 525 and/or a touchpad(not shown). Any type and combination of input devices may be used as amatter of design choice. In certain embodiments, no physical inputdevice and/or display is present. For instance, the user may interactwith computing system 500 remotely via another computing system incommunication therewith, or computing system 500 may operateautonomously.

Memory 515 stores software modules that provide functionality whenexecuted by processor(s) 510. The modules include an OS 540 forcomputing system 500. The modules further include a security automationmodule 545 that is configured to perform all or part of the processesdescribed herein or derivatives thereof. For example, pen testing module545 may execute a workflow (or it may be the workflow itself) to causeone or more robots to simulate a penetration test on the OS. Computingsystem 500 may include one or more additional functional modules 550that include additional functionality.

One skilled in the art will appreciate that a “system” could be embodiedas a server, an embedded computing system, a personal computer, aconsole, a personal digital assistant (PDA), a cell phone, a tabletcomputing device, a quantum computing system, or any other suitablecomputing device, or combination of devices without deviating from thescope of the invention. Presenting the above-described functions asbeing performed by a “system” is not intended to limit the scope of thepresent invention in any way, but is intended to provide one example ofthe many embodiments of the present invention. Indeed, methods, systems,and apparatuses disclosed herein may be implemented in localized anddistributed forms consistent with computing technology, including cloudcomputing systems. The computing system could be part of or otherwiseaccessible by a local area network (LAN), a mobile communicationsnetwork, a satellite communications network, the Internet, a public orprivate cloud, a hybrid cloud, a server farm, any combination thereof,etc. Any localized or distributed architecture may be used withoutdeviating from the scope of the invention.

It should be noted that some of the system features described in thisspecification have been presented as modules, in order to moreparticularly emphasize their implementation independence. For example, amodule may be implemented as a hardware circuit comprising custom verylarge scale integration (VLSI) circuits or gate arrays, off-the-shelfsemiconductors such as logic chips, transistors, or other discretecomponents. A module may also be implemented in programmable hardwaredevices such as field programmable gate arrays, programmable arraylogic, programmable logic devices, graphics processing units, or thelike.

A module may also be at least partially implemented in software forexecution by various types of processors. An identified unit ofexecutable code may, for instance, include one or more physical orlogical blocks of computer instructions that may, for instance, beorganized as an object, procedure, or function. Nevertheless, theexecutables of an identified module need not be physically locatedtogether, but may include disparate instructions stored in differentlocations that, when joined logically together, comprise the module andachieve the stated purpose for the module. Further, modules may bestored on a computer-readable medium, which may be, for instance, a harddisk drive, flash device, RAM, tape, and/or any other suchnon-transitory computer-readable medium used to store data withoutdeviating from the scope of the invention.

Indeed, a module of executable code could be a single instruction, ormany instructions, and may even be distributed over several differentcode segments, among different programs, and across several memorydevices. Similarly, operational data may be identified and illustratedherein within modules, and may be embodied in any suitable form andorganized within any suitable type of data structure. The operationaldata may be collected as a single data set, or may be distributed overdifferent locations including over different storage devices, and mayexist, at least partially, merely as electronic signals on a system ornetwork.

FIG. 6 is a flow diagram illustrating a method 600 for testing an entireenvironment for security vulnerabilities, according to an embodiment ofthe present invention. In some embodiments, a security automation (e.g.,pen testing) workflow may be performed on one or more OSs. To begin,method 600 may begin with directly connecting one or more robots into anOS of a platform at 605. At 610, the robot determines the OS and loadsthe appropriate workflow in order to execute the pen test. This isimportant because a service may be running on a different port number ormay have a different binary depending on the OS. For this reason, therobot may also determine the environment in which the OS is operatingand/or the user level access for the given OS or computing system. Itshould be noted that this determination may be achieved by runningdifferent commands, and based on the output of the command, the OS typemay be determined. Based on this determination, the robot may load theworkflow to perform the pen test. At 615, the one or more robotssimulate the pen test on the OS to identify malicious activity orvulnerable configurations within the OS and/or environment. At 620, areport is generated for the user. The report identifies the maliciousactivity or the vulnerable configurations within the operating system.

The user may then fix the vulnerabilities identified in the report. Inanother embodiment, the robot may identify the malicious activity and/orvulnerable configurations and install a patch to fix the identifiedissues, install a security update, shut down a service associated withthe vulnerability, terminate the execution of a program/binary, closeone or more ports, etc.

In some additional embodiments, the robot reports the malicious activityand/or vulnerabilities to a system robot. The system robot may thenperform the corrective measures based on the report. See, for example,FIG. 8. These corrective measures may be similar to those discussed inthe paragraph above.

FIG. 7 is a flow diagram illustrating a method 700 for modifying aworkflow, according to an embodiment of the present invention. In someembodiments, method 700 may begin with at 705 with the robot generatingthe report of the pen test after completion of the pen test by therobot. At 710, a ML algorithm compares the workflow report against arepository of workflows and/or results from prior pen tests. In someembodiments, the workflow may be compared against previously recordedpen tests either by the pen tester or the robot. At 715, the MLalgorithm modifies the workflow by modifying one or more steps in theworkflow or combines the workflow with another workflow previouslystored in the database. At 720, the ML algorithm generates a newmodified workflow for the robot to execute. This method is particularlyuseful because previous runtime errors in the workflow, flaws or holesin the workflow, etc., may be removed, thereby improving the overallworkflow for the pen test.

The process steps performed in FIGS. 6 and 7 may be performed by acomputer program, encoding instructions for the processor(s) to performat least part of the process(es) described in FIGS. 6 and 7, inaccordance with embodiments of the present invention. The computerprogram may be embodied on a non-transitory computer-readable medium.The computer-readable medium may be, but is not limited to, a hard diskdrive, a flash device, RAM, a tape, and/or any other such medium orcombination of media used to store data. The computer program mayinclude encoded instructions for controlling processor(s) of a computingsystem (e.g., processor(s) 510 of computing system 500 of FIG. 5) toimplement all or part of the process steps described in FIGS. 6 and 7,which may also be stored on the computer-readable medium.

The computer program can be implemented in hardware, software, or ahybrid implementation. The computer program can be composed of modulesthat are in operative communication with one another, and which aredesigned to pass information or instructions to display. The computerprogram can be configured to operate on a general purpose computer, anASIC, or any other suitable device.

FIG. 8 is a diagram illustrating a workflow 800 for executing a sequenceof steps by one or more robots during a pen test, according to anembodiment of the present invention. In some embodiment, workflows 800begins with determining the operating system. Workflow 800 may thenexecute a discover attack surface sequence, which loads the parametersof the pen test and performs the test. Workflow 800 may then prepare areport from the pen test, and in response to the report, may performpatches or fixes to the vulnerabilities or security breaches foundduring the test. Workflow 800 may also generate a report findings. Thereport findings may include vulnerabilities and suggested fixes or fixesthat were performed by the robot. It should be appreciated that one ormore robots, with different access/permission levels, may executeworkflow 800

FIGS. 9 and 10 are diagrams illustrating a conceptual state machine andworkflow 900, 1000, respectively, for executing a targeted fuzzingapproach, according to an embodiment of the present invention. Bothworkflows 900, 1000 may be executed by one or more robots with differentaccess/permission levels. To begin fuzzing, workflows 900 and 1000 areconfigurable to attach target program, and based on the target program,generate payloads for performing the fuzzing. Workflows 900 and 1000 mayrun the payloads against the target, and analyze the behavior of therun. Depending on the analysis, a report findings is generated oranother target is created by the workflow to performing another fuzzingattack. The difference between workflows 900 and 1000 is that workflow900 is a more simplified workflow, which is used for the purpose ofexplaining the concept of fuzzing.

Although some embodiments discuss the use of pen testing, it should beappreciated that the other techniques may be used. For example, any typeof security testing or hardening may be executed by one or more robots.

It will be readily understood that the components of various embodimentsof the present invention, as generally described and illustrated in thefigures herein, may be arranged and designed in a wide variety ofdifferent configurations. Thus, the detailed description of theembodiments of the present invention, as represented in the attachedfigures, is not intended to limit the scope of the invention as claimed,but is merely representative of selected embodiments of the invention.

The features, structures, or characteristics of the invention describedthroughout this specification may be combined in any suitable manner inone or more embodiments. For example, reference throughout thisspecification to “certain embodiments,” “some embodiments,” or similarlanguage means that a particular feature, structure, or characteristicdescribed in connection with the embodiment is included in at least oneembodiment of the present invention. Thus, appearances of the phrases“in certain embodiments,” “in some embodiment,” “in other embodiments,”or similar language throughout this specification do not necessarily allrefer to the same group of embodiments and the described features,structures, or characteristics may be combined in any suitable manner inone or more embodiments.

It should be noted that reference throughout this specification tofeatures, advantages, or similar language does not imply that all of thefeatures and advantages that may be realized with the present inventionshould be or are in any single embodiment of the invention. Rather,language referring to the features and advantages is understood to meanthat a specific feature, advantage, or characteristic described inconnection with an embodiment is included in at least one embodiment ofthe present invention. Thus, discussion of the features and advantages,and similar language, throughout this specification may, but do notnecessarily, refer to the same embodiment.

Furthermore, the described features, advantages, and characteristics ofthe invention may be combined in any suitable manner in one or moreembodiments. One skilled in the relevant art will recognize that theinvention can be practiced without one or more of the specific featuresor advantages of a particular embodiment. In other instances, additionalfeatures and advantages may be recognized in certain embodiments thatmay not be present in all embodiments of the invention.

One having ordinary skill in the art will readily understand that theinvention as discussed above may be practiced with steps in a differentorder, and/or with hardware elements in configurations which aredifferent than those which are disclosed. Therefore, although theinvention has been described based upon these preferred embodiments, itwould be apparent to those of skill in the art that certainmodifications, variations, and alternative constructions would beapparent, while remaining within the spirit and scope of the invention.In order to determine the metes and bounds of the invention, therefore,reference should be made to the appended claims.

1. A computer-implemented method for performing penetration testing using robotic process automation (RPA), the method comprising: directly connecting one or more robots into an operating system of a platform; executing, by the one or more robots, a workflow to simulate the penetration testing of the operating system to identify malicious activity or vulnerable configurations within the operating system; and generating, by the one or more robots, a report for the user identifying the malicious activity or the vulnerable configurations within the operating system.
 2. The computer-implemented method of claim 1, wherein the directly connecting of the one or more robots comprising: utilizing the one or more robots configured to perform a RPA process, and reassigning the one or more robots to perform the penetration testing.
 3. The computer-implemented method of claim 1, wherein the directly connecting of the one or more robots comprising: deploying the one or more robots unassigned to one another RPA process, and assigning the one or more robots to perform the penetration testing.
 4. The computer-implemented method of claim 1, wherein the executing of the penetration testing comprising: accessing the workflow specific for the operating system; and executing the workflow to cause the one or more robots to simulate the penetration testing.
 5. The computer-implemented method of claim 1, wherein the executing of the penetration testing comprising: recording, by the one or more robots, actions performed by a penetration tester during a penetration test; and using, by the one or more robots, the recorded actions to create the workflow to simulate the penetration test.
 6. The computer-implemented method of claim 1, wherein the executing of the penetration testing comprising: scanning, by the one or more robots, ports and services open or available within the OS, and identifying the ports and services with vulnerabilities and weak credential logins.
 7. The computer-implemented method of claim 1, wherein the executing of the penetration testing comprising: attempting to access, by the one or more robots, one or more user accounts to identify one or more compromised user accounts, wherein the attempting to access of the one or more user accounts comprises using default login credentials for each the one or more user accounts, and identifying the one or more comprised user accounts that are granted access during the penetration testing.
 8. The computer-implemented method of claim 1, further comprising: upon directly connecting with the operating system, determining, by the one or more robots, type of the operating system; and loading, by the one or more robots, the workflow associated with the type of operating system in order to execute the simulation of the penetration testing.
 9. The computer-implemented method of claim 1, further comprising: modifying, by a system admin robot, one or more steps in a workflow to create a new workflow for simulating the penetration testing, or combining, by the system admin robot, two or more workflows to create a new workflow for simulating the penetration testing.
 10. The computer-implemented method of claim 1, further comprising: receiving, by a system admin robot, the report identifying the malicious activity, misconfigurations or vulnerabilities within the operating system; and executing, by the system admin robot, a workflow to perform corrective measures removing the malicious activity, misconfigurations or vulnerabilities within the operating system.
 11. An apparatus configured to perform penetration testing using robotic processor automation (RPA), the apparatus comprising: memory comprising a set of instructions; and at least one processor, wherein the set of instructions are configured to cause the at least one processor to execute: directly connecting one or more robots into an operating system of a platform; executing, by the one or more robots, a workflow to simulate the penetration testing of the operating system to identify malicious activity, misconfigurations or vulnerabilities within the operating system; and generating, by the one or more robots, a report for the user identifying the malicious activity, misconfigurations or vulnerabilities within the operating system.
 12. The apparatus of claim 11, wherein the set of instructions are further configured to cause the at least one processor to execute: utilizing the one or more robots configured to perform a RPA process, and reassigning the one or more robots to perform the penetration testing.
 13. The apparatus of claim 11, wherein the set of instructions are further configured to cause the at least one processor to execute: deploying the one or more robots unassigned to one another RPA process, and assigning the one or more robots to perform the penetration testing.
 14. The apparatus of claim 11, wherein the set of instructions are further configured to cause the at least one processor to execute: accessing the workflow specific for the operating system; and executing the workflow to cause the one or more robots to simulate the penetration testing.
 15. The apparatus of claim 11, wherein the set of instructions are further configured to cause the at least one processor to execute: recording, by the one or more robots, actions performed by a penetration tester during a penetration test; and using, by the one or more robots, the recorded actions to create the workflow to simulate the penetration test.
 16. The apparatus of claim 11, wherein the set of instructions are further configured to cause the at least one processor to execute: scanning, by the one or more robots, ports and services open or available within the OS, and identifying the ports and services with vulnerabilities and weak credential logins.
 17. The apparatus of claim 11, wherein the set of instructions are further configured to cause the at least one processor to execute: attempting to access, by the one or more robots, one or more user accounts to identify one or more compromised user accounts, wherein the attempting to access of the one or more user accounts comprises using default login credentials for each the one or more user accounts, and identifying the one or more comprised user accounts that are granted access during the penetration testing.
 18. The apparatus of claim 11, the set of instructions are further configured to cause the at least one processor to execute: upon directly connecting with the operating system, determining, by the one or more robots, type of the operating system; and loading, by the one or more robots, the workflow associated with the type of operating system in order to execute the simulation of the penetration testing.
 19. The apparatus of claim 11, the set of instructions are further configured to cause the at least one processor to execute: modifying, by a system admin robot, one or more steps in a workflow to create a new workflow for simulating the penetration testing, or combining, by the system admin robot, two or more workflows to create a new workflow for simulating the penetration testing.
 20. The apparatus of claim 11, the set of instructions are further configured to cause the at least one processor to execute: receiving, by a system admin robot, the report identifying the malicious activity, misconfigurations or vulnerabilities within the operating system; and executing, by the system admin robot, a workflow to perform corrective measures removing the malicious activity, misconfigurations or vulnerabilities within the operating system.
 21. A computer program embodied on a non-transitory computer-readable medium, the computer program is configured to cause at least one processor to execute: directly connecting one or more robots into an operating system of a platform; executing, by the one or more robots, a workflow to simulate the penetration testing of the operating system to identify malicious activity, misconfigurations or vulnerabilities within the operating system; and generating, by the one or more robots, a report for the user identifying the malicious activity, misconfigurations or vulnerabilities within the operating system.
 22. The computer program of claim 21, wherein the computer program is further configured to cause at least one processor to execute: utilizing the one or more robots configured to perform a RPA process, and reassigning the one or more robots to perform the penetration testing.
 23. The computer program of claim 21, wherein the computer program is further configured to cause at least one processor to execute: deploying the one or more robots unassigned to one another RPA process, and assigning the one or more robots to perform the penetration testing.
 24. The computer program of claim 21, wherein the computer program is further configured to cause at least one processor to execute: accessing the workflow specific for the operating system; and executing the workflow to cause the one or more robots to simulate the penetration testing.
 25. The computer program of claim 21, wherein the computer program is further configured to cause at least one processor to execute: recording, by the one or more robots, actions performed by a penetration tester during a penetration test; and using, by the one or more robots, the recorded actions to create the workflow to simulate the penetration test.
 26. The computer program of claim 21, wherein the computer program is further configured to cause at least one processor to execute: scanning, by the one or more robots, ports and services open or available within the OS, and identifying the ports and services with vulnerabilities and weak credential logins.
 27. The computer program of claim 21, wherein the computer program is further configured to cause at least one processor to execute: attempting to access, by the one or more robots, one or more user accounts to identify one or more compromised user accounts, wherein the attempting to access of the one or more user accounts comprises using default login credentials for each the one or more user accounts, and identifying the one or more comprised user accounts that are granted access during the penetration testing.
 28. The computer program of claim 21, wherein the computer program is further configured to cause at least one processor to execute: upon directly connecting with the operating system, determining, by the one or more robots, type of the operating system; and loading, by the one or more robots, the workflow associated with the type of operating system in order to execute the simulation of the penetration testing.
 29. The computer program of claim 21, wherein the computer program is further configured to cause at least one processor to execute: modifying, by a system admin robot, one or more steps in a workflow to create a new workflow for simulating the penetration testing, or combining, by the system admin robot, two or more workflows to create a new workflow for simulating the penetration testing.
 30. The computer program of claim 21, wherein the computer program is further configured to cause at least one processor to execute: receiving, by a system admin robot, the report identifying the malicious activity, misconfigurations or vulnerabilities within the operating system; and executing, by the system admin robot, a workflow to perform corrective measures removing the malicious activity, misconfigurations or vulnerabilities within the operating system. 